Must CADA authorities act impartially and transparently?

Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities are legally bound to perform their supervisory and enforcement tasks in an impartial, transparent, and timely manner. Article 25(3) of the proposal explicitly mandates this tripartite standard to ensure consistent application of the sovereignty framework across the Union. Furthermore, Article 26(4) establishes a critical good-administration safeguard: any exercise of investigative or enforcement powers must be subject to adequate safeguards under national law, explicitly including the right to be heard, the rights of defence, and the right to access the file. These provisions ensure that while authorities possess robust powers to inspect and penalize, they cannot act arbitrarily.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous framework for cloud computing sovereignty, requiring strict oversight to ensure that providers meet the necessary Union assurance levels. To maintain the integrity of this system, the proposal imposes specific behavioral and procedural obligations on the national competent authorities designated by Member States to enforce the regulation. These obligations are not merely aspirational; they are binding legal requirements designed to protect the single market and the rights of regulated entities.

The Tripartite Mandate: Impartiality, Transparency, and Timeliness

The cornerstone of the supervisory regime is found in Article 25(3) of the CADA proposal. This provision states: "Member States shall ensure that their competent authorities perform their tasks under this Regulation in an impartial, transparent and timely manner."

This tripartite obligation serves distinct but interconnected functions:

• Impartiality: Authorities must act without bias, ensuring that decisions regarding the recognition of cloud services (under Article 17) or the imposition of penalties (under Article 24) are based solely on factual compliance with the regulation. This prevents decisions from being influenced by political pressures, commercial interests, or discriminatory treatment of providers based on their origin or size.
• Transparency: The regulatory process must be open and understandable. This includes the obligation to maintain a public register of competent authorities (Article 25(2)) and a central repository of recognized services (Article 22). Transparency ensures that market participants can verify the status of providers and the identity of their regulators, fostering trust in the sovereignty framework.
• Timeliness: Given the fast-moving nature of the cloud market, delays in recognition or enforcement can cause significant market distortion. Article 25(3) reinforces the strict deadlines set elsewhere in the text, such as the 60-day period for authorities to assess applications for recognition (Article 17(5)). Timeliness ensures that the regulatory framework does not become a bottleneck for innovation or public procurement.

Good Administration and Procedural Safeguards

While Article 25(3) sets the general standard of conduct, Article 26(4) provides the specific procedural safeguards that protect providers during investigations and enforcement actions. The proposal grants authorities significant powers under Article 26(1) and (2), including the power to require information, conduct on-site inspections, seize data, and impose fines or periodic penalty payments.

Crucially, Article 26(4) states that any exercise of these powers "shall be subject to adequate safeguards under applicable national law in compliance with the general principles of Union law." The provision explicitly lists the following safeguards that Member States must guarantee:

• The right to respect for private life.
• The rights of defence.
• The right to be heard.
• The right to have access to the file.
• The right of all affected parties to an effective judicial remedy.

This alignment with the broader EU principle of good administration ensures that authorities cannot wield their investigative tools arbitrarily. The requirement for "adequate safeguards" means that national laws transposing or implementing CADA must provide clear avenues for providers to challenge authority actions, request evidence, and present their case before penalties are finalized. For instance, before a fine is imposed, the provider must have the opportunity to be heard and to access the file containing the evidence against them.

Proportionality and Consistency in Enforcement

The obligation to act impartially and transparently is reinforced by the penalty regime in Article 24 and the proportionality requirements in Article 26(3). Member States must lay down rules on penalties that are "effective, proportionate and dissuasive." When determining penalties, authorities must consider criteria such as the nature, gravity, and duration of the infringement, as well as any action taken by the infringing party to mitigate damage (Article 24(2)).

Article 26(3) further requires that measures taken by authorities be "effective, dissuasive and proportionate," taking into account the nature, gravity, recurrence, and duration of the infringement, as well as the economic, technical, and operational capacity of the service provider. This proportionality test is a direct application of the impartiality and good-administration principles, preventing authorities from imposing crushing fines on smaller entities for minor procedural errors or treating similar violations disparately across the Union.

Cross-Border Consistency

The principles of impartiality and transparency also extend to cross-border cooperation. Under Article 27 (Mutual Assistance) and Article 28 (Cross-Border Cooperation), authorities must share information and coordinate investigations. Article 27(1) requires authorities to "cooperate closely and provide each other with mutual assistance to apply this Chapter in a consistent and efficient manner." Consistency here is a proxy for impartiality; if one Member State ignores a violation that another penalizes, the single market for sovereign cloud services is undermined. Therefore, the transparent exchange of information and the timely response to requests for assistance (within two months, per Article 27(3)) are critical to maintaining a level playing field.

What this means for you

For in-house counsel and compliance officers, these provisions offer both a shield and a roadmap for interaction with regulators.

1. Invoke Procedural Rights: If a national competent authority delays a recognition application beyond the statutory 60-day period (Article 17(5)) or conducts an inspection without following national procedural safeguards, you have grounds to challenge this under Article 26(4). Ensure your legal team reviews the national implementing laws to verify that the "right to be heard" and "access to the file" are explicitly guaranteed in your jurisdiction.
2. Document Interactions: The transparency obligation implies that your interactions with authorities should be documented. Keep records of all submissions, requests for information, and responses. This documentation is vital if you need to demonstrate that you acted in good faith or if you need to appeal a decision based on procedural errors.
3. Monitor Consistency: Since CADA aims for a harmonized EU-wide framework, watch for divergent interpretations by different Member States. If an authority in one country imposes a penalty that seems disproportionate compared to similar cases elsewhere, use the mutual assistance mechanisms (Article 27) and the oversight role of the Commission to highlight inconsistencies.
4. Prepare for Inspections: Article 26(1) grants authorities significant investigative powers, including on-site inspections. Ensure your internal compliance protocols are ready to facilitate these inspections efficiently. The "timely" requirement for authorities also means they should not unreasonably delay the process, but your cooperation can help expedite outcomes.

Common misconceptions

• "Impartiality means authorities cannot investigate aggressively." Incorrect. Impartiality requires neutrality in decision-making, not passivity. Authorities are expected to be "dissuasive" (Article 26(3)) and to actively enforce the regulation. They can and will investigate suspected infringements vigorously, provided they follow due process and treat all providers equally.
• "Transparency means all audit details are public." Incorrect. While the recognition status of a service is public (Article 22), the audit reports and sensitive commercial information obtained during investigations are subject to confidentiality obligations. Article 20(3) and Article 26(4) emphasize the protection of trade secrets and private life. Transparency applies to the process and outcomes (e.g., who is recognized, who is fined), not the underlying proprietary data.
• "Timeliness guarantees a quick approval." Incorrect. Timeliness refers to the authority's duty to process applications and investigations within set deadlines (e.g., 60 days for assessment under Article 17). It does not guarantee that your application will be approved. If the evidence is insufficient, the authority may request further information, suspending the clock (Article 17(5)(b)), up to a maximum of 30 days unless justified by exceptional circumstances.

Related

• CADA Article 28: Deadline for authorities to act on Commission requests
• Can CADA authorities act before an infringement is confirmed?
• Can CADA authorities act against a non-EU cloud provider?
• Who enforces CADA (the Cloud and AI Development Act)?
• When must Member States designate a CADA competent authority?

This is general information about a draft EU regulation, not legal advice.